In a recent post I expounded on the use of the Kibana Swimlane plugin with Savvius Insight to add a cool and useful new visualization to your dashboards. If you missed that post, you can check it out here and get an intro on how the built-in ELK reporting on Insight can be extended with plugins. At the end of that post I said I would write soon about another Kibana plugin called Graph. Here is the teaser photo I included in that post:
Graph is a different kind of plugin than Swimlane because it is not used for dashboard visualizations, rather it is more like a separate app that you access from the Kibana UI. In some ways this is too bad, because I would love to add Graph visualizations to my dashboards. Adding them to my dashboards also means that the settings made to a Graph visualization would be preserved. As it is with Graph, there is no way to save the settings. Still, Graph is extremely cool, and I am not aware of another tool that makes it so easy to represent relationships in data the same way.
First, to install the Graph Kibana plugin, go to the following site and follow the sample instructions: https://www.elastic.co/downloads/graph. As I explained in the previous post, you will need to SSH into the Savvius Insight device and enable PERSIST in order to perform the installation. Yes, it would be nice if plugins could be installed from the Kibana UI itself. Hmm, maybe there could be a plugin to install plugins? Seems reasonable. After the install, you can go to the Kibana UI, hit the applications icon, and see Graph.
Clicking on Graph will take you to the Graph UI. Graph is super cool, but the control user interface is wonky, and took me a while to figure out. Definitely some room for improvement there.
Graph uses relationships in fields of events. Once you give it the index pattern, it knows what the fields are and provides you with the UI to select the fields from a list, and the number of hops for each. However, in order to display the list of fields, you have to enable advanced mode, which is the beacon icon at the far right of the Graph toolbar. In the list of fields, choose Event.raw and geoip.city_name.raw. Personally, I don’t like the raw vs non-raw distinction of the string fields in the UI. It seems like Kibana/Graph could just display the non-raw string name, and use the right one under the hood. But anyway, put a star (*) into the filter field, and hit Enter. Once the query is complete; you should see something like the screenshot below. I love the way it draws itself, especially when there are many nodes.
By adding the SourceAddr.raw field, you will see events, the IP addresses of the machines that caused the events to be generated, and the cities they occurred in. Adding DestAddr.raw adds the destination address to the mix. By the way, when you make changes, you have to hit the Undo button to clear the screen before filtering again, or stuff will accumulate.
You may have noticed that your graph does not have a lot of nodes in it. This is because the default query is limited to a sample size of 2000 terms. You can increase this in the settings screen to see more nodes and connections. If you increase the sample size, you may also need to increase the timeout, since it may take longer to finish the query. You can also change the number of terms per hop for each field. So as you can see, there are all kinds of controls. When I bumped the hops and sample size way up, I got this cool looking graph:
I am not sure how useful it is, but it looks great! And it would be even better if I could move the nodes around and have it remember where I put them. Oh well. I will give the Graph guys credit for allowing the name of a node to be changed.
Pretty cool? So what are you waiting for? Go download Graph onto your Savvius Insight, and start visualizing your network data! If you do not have a Savvius Insight at every remote location on your network, click here to read a whitepaper about why you should.
Chris Bloom, Technology Evangelist at Savvius